Internet DRAFT - draft-tsg-tls-udt-sec
draft-tsg-tls-udt-sec
INTERNET-DRAFT Tatikayala Sai Gopal
Intended Status: <Informational> C-DAC Hyderabad
Expires: July 10, 2014 Janurary 09, 2014
Securing UDT using TLS/DTLS draft-tsg-tls-udt-sec-01.txt
Abstract
This document describes about providing security to UDP Based Data
Transfer (UDT) protocol. UDT is application level protocol built on
the top of UDP, which effectively utilizes bandwidth in the high
speed network as compared with TCP. UDT relies on the above layer for
security because of absence of in-build security mechanisms. This
document proposes the use of Transport Layer Security (TLS)/Datagram
Transport Layer Security (DTLS) for securing the UDT protocol.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright and License Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 1]
INTERNET DRAFT <UDT Security> January 09, 2014
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Integration with TLS/DTLS . . . . . . . . . . . . . . . . . . . 3
3 Mapping of UDT socket with SSL structure . . . . . . . . . . . 5
4 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
5 Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6 Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7 References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1 Normative References . . . . . . . . . . . . . . . . . . . 6
7.2 Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 2]
INTERNET DRAFT <UDT Security> January 09, 2014
1 Introduction
TCP underutilizes the network as Bandwidth Delay Product (BDP)
increases[LL07]. Several variants of TCP such as Scalable TCP, BIC
TCP and logarithmic TCP have come up for efficient utilization of
high speed network but have a severe problem of RTT unfairness[SY09].
UDT is designed to overcome the limitation of TCP. Though UDT [UDT]
uses UDP protocol for transferring data, it is a connection oriented,
unicast and also provides a reliable duplex channel[GH04]. UDT has
an option for plugging user defined congestion control algorithms and
has support for reliable data streaming and partial reliable
messaging [GG07]. Reliable data streaming is similar to TCP whereas
partial reliable messaging to UDP. Through UDT socket, application
sends the data to UDT layer which in turn uses UDP channel for
delivery of data. UDT socket is a logical entity which internal maps
to a UDP socket.
UDT being an application level protocol is easy to deploy because of
it modularized framework [GG08] and is considered as an alternative
data transfer protocol which provides faster data transfer but
doesn't provide security in terms of confidentiality, authentication
and integrity [BH09]. UDT layer has to depend on above layer to
achieve security. UDT is implemented by each application and not by
each operating system or stack. So, security must be implemented per
application basis.
Absence of security in UDT leads researchers to explore already
proven security mechanism, many approaches were proposed for securing
UDT application, which includes IPsec, Generic Security Service
Application Programming Interface(GSS-API)[BH10b], Transport Layer
Security (TLS)/ Datagram Transport Layer Security (DTLS)
[BH10a].TLS/DTLS is most widely used security mechanism that provides
secure communication over an insecure channel. This document presents
integration of TLS [RFC5246] / DTLS [RFC6347] with UDT for securing
the application data.
1.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2 Integration with TLS/DTLS
Figure 1 depicts the position of TLS/DTLS in the layered architecture
of TCP/IP stack. TLS provides security to reliable data transport
protocol whereas DTLS to unreliable data transport protocol. UDT
application must use TLS for reliable data streaming and DTLS for
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 3]
INTERNET DRAFT <UDT Security> January 09, 2014
partial reliable messaging to provide security to UDT application.
The application programmer has to choose whether application requires
reliable data streaming or partial reliable messaging. Adding
TLS/DTLS doesn't lead to IP fragmentation as UDT layer divides data
in equal packets of size 1472.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDT Application |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TLS | DTLS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDT | UDT |
| Reliable mode | partial reliable messaging |
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Position of TLS/DTLS in Layered Architecture
To provide security to UDT, TLS/DTLS has to be modified to call UDT
rather TCP/UDP. This can be achieved by using Basic Input and Output
(BIO) objects, which are part of OpenSSL library[OPENSSL]. OpenSSL is
a generic purpose cryptographic library which supports both TLS and
DTLS security mechanisms. BIO objects hide the details of underlying
layer. BIO objects allow the programmer to connect to different I/O
channel such as TCP socket, UDP socket, memory and terminal, etc.
BIO_METHOD is a pointer in BIO object, which holds the pointer to
lower layer functionality.
Similarly, a BIO_METHOD object must be created and mapped to the UDT
BIO object. BIO_METHOD holds the pointer to the UDT functionality.
struct bio_method_st
{
int type;
const char *name;
int (*bwrite)(BIO *, const char *, int);
int (*bread)(BIO *, char *, int);
int (*bputs)(BIO *, const char *);
int (*bgets)(BIO *, char *, int);
long (*ctrl)(BIO *, int, long, void *);
int (*create)(BIO *);
int (*destroy)(BIO *);
long (*callback_ctrl)(BIO *, int, bio_info_cb *);
} BIO_METHOD;
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 4]
INTERNET DRAFT <UDT Security> January 09, 2014
bwrite, bread, bputs are wrapper functions that point to UDT::write,
UDT::read and UDT::send functions respectively. These wrapper
functions allow OpenSSL to call UDT functions. TLS and DTLS wrapper
functions are present in bss_sock.c and bss_dgram.c. Similarly create
bss_ udt.c, which hold the wrapper functions for UDT.For
example,sock_write() internally calls UDT::send()
static int sock_write(BIO *h, const char *buf, int num) {
// code ret=UDT::send(b->num,in,inl,0); //code }
3 Mapping of UDT socket with SSL structure
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| +-+-+-+-+-+-+-+ |
| | UDT Socket | |
| +-+-+-+-+-+-+-+ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ |
| | SSL | -->| UDT | -->| UDT | |
| | object | | BIO object | | BIO_METHOD | |
| +-+-+-+-+-+-+ +-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDT Layer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP Layer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Mapping of SSL BIO object with UDT functionality
Figure 2 shows the mapping of SSL BIO object with UDT functionality.
Each side a BIO object MUST be created and SHOULD be linked to the
SSL structure. The following is the step to link UDT BIO object with
SSL structure.
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 5]
INTERNET DRAFT <UDT Security> January 09, 2014
/* creating SSL structure */
ssl =SSL_new(ctx);
/* creating a bio object for UDT */
bio= BIO_new(BIO_s_udtsock() );
/*mapping BIO object with UDT socket */
BIO_set_fd( bio, udt_session_fd , BIO_NOCLOSE);
/* mapping of SSL and bio object */
SSL_set_bio(ssl,bio,bio);
BIO_s_udtsock() maps BIO object with UDT functionality. Once the
mapping of UDT socket with the corresponding SSL structure is done,
UDT application has to call SSL_connect() & SSL_accept() on the
client and the server side respectively to establish a shared session
key. Application has to call SSL_write() /SSL_read() for
encryption/decryption of data using the shared session key.
4 IANA Considerations
This document uses same identifiers of TLS and DTLS. So, there is no
need of new IANA registries are required.
5 Security Considerations
UDT relies on TLS/DTLS for providing authentication, confidentiality
and integrity of data. Therefore, most of the security considerations
are same as that of TLS and DTLS. The additional security
considerations raised by UDT is a random sequence number for initial
UDT handshake. Random sequence number should be unpredictable in
order to avoid spoofing or session hijacking. Absence of checksum in
the UDT header may result in incorrect forwarding of packet by UDP
layer.
6 Limitation
Bss_udt.c can be either compiled with every application, or it can
be part of the OpenSSL library. If it is part of OpenSSL library, it
has to be compiled with a g++ compiler rather than with gcc Since
UDT uses C++.
7 References
7.1 Normative References
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 6]
INTERNET DRAFT <UDT Security> January 09, 2014
7.2 Informative References
[BH09] D.V Bernardo and D. Hoang, "Network security
considerations for a New Generation Protocol UDT",
Proceedings of IEEE the 2nd ICCIST Conference 2009.
[BH10a] D.V Bernardo, D.B Hoang, "A Pragmatic Approach: Achieving
Acceptable Security Mechanisms for High Speed Data
Transfer Protocol - UDT", International Journal of Network
Security and its Applications, Vol. 4, no. 3, 2010.
[BH10b] D.V Bernardo, D.B Hoang, "Protecting Next Generation High
Speed Network Protocol- UDT through Generic Security
Service Application Program Interface -GSS API", 4th IEEE
International Conference on Emerging Security Information,
Systems and Technologies, SECUREWARE 2010.
[GG07] Yunhong GU, Robert L. Grossman ,"UDT: UDP-based Data
Transfer for High Speed Wide Area Networks" The
International Journal of Computers and Telecommunications
Networking, Vol. 51, May 2007
[GH04] Yunhong GU, Xinwei Hong, Robert L. Grossman,"Experiences
in Design and Implementation of a High Performance
Transport Protocol",Nov2004
[GG08] Yunhong Gu and Robert Grossman,"UDTv4: Improvements in
Performance and Usability", Gridnets 2008
[UDT] UDT: UDP-based Data Transfer, URL
http://udt.sourceforge.net
[OPENSSL] OpenSSL Project, URL http://www.openssl.org
[LL07] Yee-Ting Li, Douglas Leith and Robert N. Shorten, "
Experimental evaluation of TCP protocols for high speed
Networks "IEEE/ACM Transactions on Networking, Oct 2007
[SY09] SangtaeHa, YusungKim, LongLe, InjongRhee, and LisongXu,"A
step toward Realistic performance Evaluation of High-Speed
TCP variants", 18th August 2009
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 7]
INTERNET DRAFT <UDT Security> January 09, 2014
Authors' Addresses
Tatikayala Sai Gopal,
Centre for Development of Advanced Computing(C-DAC) Hyderabad,
Hyderabad-500085
INDIA
Email: saigopalt@cdac.in
Rahul Jain,
Centre for Development of Advanced Computing(C-DAC) Hyderabad,
Hyderabad-500085
INDIA
Email: rahulj@cdac.in
Reddy Lakshmi Eswari P,
Centre for Development of Advanced Computing(C-DAC) Hyderabad,
Hyderabad-500085
INDIA
Email: prleswari@cdac.in
Jyostna G,
Centre for Development of Advanced Computing(C-DAC) Hyderabad,
Hyderabad-500085
INDIA
Email: gjyostna@cdac.in
<Tatikayala Sai Gopal> Expires July 10 2014 [Page 8]